On 1 October 2018 at 09:26, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> On Sun, Sep 30, 2018 at 10:59 AM Ard Biesheuvel
> <ard.biesheuvel@xxxxxxxxxx> wrote:
>> Omit the endian swabbing when folding the lengths of the assoc and
>> crypt input buffers into the state to finalize the tag. This is not
>> necessary given that the memory representation of the state is in
>> machine native endianness already.
>>
>> This fixes an error reported by tcrypt running on a big endian system:
>>
>> alg: aead: Test 2 failed on encryption for morus640-generic
>> 00000000: a8 30 ef fb e6 26 eb 23 b0 87 dd 98 57 f3 e1 4b
>> 00000010: 21
>> alg: aead: Test 2 failed on encryption for morus1280-generic
>> 00000000: 88 19 1b fb 1c 29 49 0e ee 82 2f cb 97 a6 a5 ee
>> 00000010: 5f
>
> Yikes, I never really got around to test MORUS and AEGIS on a BE
> machine... My mistake, sorry :/
>
No worries - this is brand new code so this is not entirely unexpected.
>>
>> Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations")
>> Cc: <stable@xxxxxxxxxxxxxxx> # v4.18+
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
>
> Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
>
Thanks!
>> ---
>> crypto/morus1280.c | 7 ++-----
>> crypto/morus640.c | 16 ++++------------
>> 2 files changed, 6 insertions(+), 17 deletions(-)
>>
>> diff --git a/crypto/morus1280.c b/crypto/morus1280.c
>> index d057cf5ac4a8..3889c188f266 100644
>> --- a/crypto/morus1280.c
>> +++ b/crypto/morus1280.c
>> @@ -385,14 +385,11 @@ static void crypto_morus1280_final(struct morus1280_state *state,
>> struct morus1280_block *tag_xor,
>> u64 assoclen, u64 cryptlen)
>> {
>> - u64 assocbits = assoclen * 8;
>> - u64 cryptbits = cryptlen * 8;
>> -
>> struct morus1280_block tmp;
>> unsigned int i;
>>
>> - tmp.words[0] = cpu_to_le64(assocbits);
>> - tmp.words[1] = cpu_to_le64(cryptbits);
>> + tmp.words[0] = assoclen * 8;
>> + tmp.words[1] = cryptlen * 8;
>> tmp.words[2] = 0;
>> tmp.words[3] = 0;
>>
>> diff --git a/crypto/morus640.c b/crypto/morus640.c
>> index 1ca76e54281b..da06ec2f6a80 100644
>> --- a/crypto/morus640.c
>> +++ b/crypto/morus640.c
>> @@ -384,21 +384,13 @@ static void crypto_morus640_final(struct morus640_state *state,
>> struct morus640_block *tag_xor,
>> u64 assoclen, u64 cryptlen)
>> {
>> - u64 assocbits = assoclen * 8;
>> - u64 cryptbits = cryptlen * 8;
>> -
>> - u32 assocbits_lo = (u32)assocbits;
>> - u32 assocbits_hi = (u32)(assocbits >> 32);
>> - u32 cryptbits_lo = (u32)cryptbits;
>> - u32 cryptbits_hi = (u32)(cryptbits >> 32);
>> -
>> struct morus640_block tmp;
>> unsigned int i;
>>
>> - tmp.words[0] = cpu_to_le32(assocbits_lo);
>> - tmp.words[1] = cpu_to_le32(assocbits_hi);
>> - tmp.words[2] = cpu_to_le32(cryptbits_lo);
>> - tmp.words[3] = cpu_to_le32(cryptbits_hi);
>> + tmp.words[0] = lower_32_bits(assoclen * 8);
>> + tmp.words[1] = upper_32_bits(assoclen * 8);
>> + tmp.words[2] = lower_32_bits(cryptlen * 8);
>> + tmp.words[3] = upper_32_bits(cryptlen * 8);
>>
>> for (i = 0; i < MORUS_BLOCK_WORDS; i++)
>> state->s[4].words[i] ^= state->s[0].words[i];
>> --
>> 2.19.0
>>
>
> Thanks,
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
